safe-mode + (outdir != sourcedir) == jail violation

asciidoctor / asciidoctor-diagram

:left_right_arrow: Asciidoctor diagram extension, with support for AsciiToSVG, BlockDiag (BlockDiag, SeqDiag, ActDiag, NwDiag), Ditaa, Erd, GraphViz, Mermaid, Msc, PlantUML, Shaape, SvgBob, Syntrax, UMLet, Vega, Vega-Lite and WaveDrom.

http://asciidoctor.org

MIT License

431 stars 106 forks source link

safe-mode + (outdir != sourcedir) == jail violation #262

Open slonopotamus opened 4 years ago

slonopotamus commented 4 years ago

Please, see my repro repository.

It has a single book/book.adoc:

= Diagrams

[ditaa, "cool-diag"]
....
+----+
|Jail|
+----+
....

And I try to convert that book to a different directory:

$ asciidoctor -r asciidoctor-diagram --safe-mode server -D output book/book.adoc

But suddenly, this produces warnings:

asciidoctor: WARNING: path is outside of jail; recovering automatically
asciidoctor: WARNING: path is outside of jail; recovering automatically

And as a result, book/cool-diag.png is created instead of output/cool-diag.png.

Expected: no warnings + cool-diag.png is created in output directory instead of book directory.

Reproduced using asciidoctor-2.0.10 + asciidoctor-diagram 2.0.1.

So, seems like jail mechanism did here the reverse of what it was supposed to do. Instead of allowing to write only into destination dir, it rejected writing to destination dir and forced writing into source dir.

mojavelinux commented 4 years ago

I think this is more of a core issue. The jail mechanism has never really been fully fleshed out. It was more of a paranoid mode than a truly useful one. This is a good example. I've long wanted to rework it so it behaves more logically.

slonopotamus commented 4 years ago

I think this is more of a core issue

I possibly agree, though don't know how to reproduce it with core standalone. I guess you have permissions to transfer issue to core.

It was more of a paranoid mode than a truly useful one.

I came across this bug because it turned out that Asciidoctor.convert_file defaults to SAFE mode (unlike CLI that defaults to UNSAFE), so I assumed SAFE mode is something that is used pretty extensively.

mojavelinux commented 4 years ago

I came across this bug because it turned out that Asciidoctor.convert_file defaults to SAFE mode (unlike CLI that defaults to UNSAFE), so I assumed SAFE mode is something that is used pretty extensively.

There's a weird history around it. Basically, it had to be that way for Asciidoctor to work on GitHub, even though GitHub doesn't actually use any features that are affected by it.

coulas commented 3 weeks ago

To reproduce on core, you can use includes with sources under the source tree or output tree, etc. I am using Doctoolchain 3.3.1 that embeds gradle launching a ruby implementation of Asciidoctor. When I include files under the source tree, I get the same error, the included file is not in the jail that jail being the output directory, not the source directory. So I can't include diagrams that are in the same directory of the Adoc file, nor include source code even when it is in the subfolder of the folder containing the Adoc file.